Hi, I have been trying to get the openssl s_time command to measure the SSL performance despite the non-existing documentation and need some help. All tests from "make test" complete successfully.
To set up the test client, I have copied our root cert file from my Apache server to the client side and have referred to this CA cert on the client side with the "-CApath <path>" and "-CAfile cacert.pem" command parameters. When I run "openssl s_time" against my Apache server, I see handshakes but no data being transferred, something like [<myprompt>]$ apps/openssl s_time -CApath . -CAfile cacert.pem -cipher DES-CBC3-SHA -new -connect <servername>:443 Collecting connection statistics for 30 seconds tttttttttttttttttttttttttttttttttttttttttttttttt ... tttttttttttttttttttttttttttttttttttttttttttttttt ... tttttttttttttttttttttttttttttttttttttttttttttttt ... tttttttttttttttttttttttttttttttttttttttttttttttt ... tttttttttttttttttttttttttttt 508 connections in 1.61s; 315.53 connections/user sec, bytes read 0 508 connections in 31 real seconds, 0 bytes read per connection [<myprompt>]$ I inserted a sniffer and found that the handshake aborts at the end. The client sends a key exchange message although the server did not send one - how can this happen? I do not understand this because the client key exchange msg is enciphered with the public key from a server key exchange msg, not with the public key from the server cert! The sequence is: client hello V2 server hello server cert + chain server hello done client key exchange !!!! ??? client change cipher spec client finished server change cipher spec server finished ERROR,: Client has closed the socket, no data read from client server sends closure alert (enciphered, so it must be closure) server closes socket I played with the -key and -cert parameters (taken from the source) in the hope that they might change something on the client side but to no avail. I generated a client key pair and signed it with my CA and let the key and cert parameters point at these two files like: apps/openssl s_time -CApath . -CAfile cacert.pem -key osslClt_1024.key -cert osslClt_1024.crt -cipher DES-CBC3-SHA -new -connect <sniffer_IP_adrs>:<port> Collecting connection statistics for 30 seconds tERROR , the same sequence as above happens. I have set the sniffer to abort after one connection, therefore it stopped after one "t". a) Any hints how I should set up the openssl s_time test ? b) Any ideas about the surplus client key exchange? The CA cert, the server cert and the client cert (where I referenced it) all have a 1024 bit modulus. Regards, Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
